ISC2 Certified Cloud Security Professional (CCSP) Practice Question

A U.S. retailer uses an IaaS provider that may mirror customer data from its Frankfurt region to servers in South Africa for disaster-recovery purposes. Because the data includes EU residents' personally identifiable information, the retailer is concerned about violating GDPR restrictions on international transfers. Which contract provision best reduces this legal risk?

A right-to-audit clause allowing the retailer to inspect the provider's data centers
A service-level agreement guaranteeing 99.999 percent availability with financial penalties
A contractual reference to the U.S. CLOUD Act to handle government disclosure requests
Inclusion of the European Commission's Standard Contractual Clauses governing transfers of personal data outside the EEA

Report Issue

Answer Description

Under the GDPR, personal data may leave the European Economic Area only if adequate safeguards exist. The European Commission's Standard Contractual Clauses (SCCs) are an approved safeguard that contractually obligates both the data exporter and the data importer to provide GDPR-equivalent protections when data is sent to a third country such as South Africa, which does not currently have an EU adequacy decision. Adding SCCs to the outsourcing agreement therefore directly addresses the cross-border transfer risk. A right-to-audit clause improves oversight but does not by itself satisfy Article 46 requirements. A 99.999 percent availability commitment concerns service uptime, not data-transfer legality. Referencing the U.S. CLOUD Act relates to government access requests and does not create a lawful basis for exporting EU personal data.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.